SPEC compute intensive benchmarks are often used to evaluate processors in
high-performance systems. However, such evaluations are valid only if these
benchmarks are representative of more comprehensive real workloads. I
present a comparative architectural analysis of SPEC CPU benchmarks and the
more realistic SPEC Java Server benchmark. This analysis indicates the
integer subset of CPU benchmarks are broadly representative of the branching
and cache characteristics of server and business workloads.

I also leverage the collected data to perform a statistical regression
analysis, estimating an application's performance as a linear function of
its observed architectural characteristics. A linear model derived from
simulated SPEC CPU data appears to fit the observed data quite well, with 94
percent of performance variance explained by four predictors that
incorporate cache and queue usage.

The linear model predicts server benchmark performance to within 2 percent
of the observed value. Despite the regression model's close fit to the
observed data, its predictive ability is constrained by the trace collection
facility. It is infeasible to use the performance of one trace suite to
predict the performance of another trace suite if the underlying trace
collection processes differ across suites.

Provenance of a file is metadata pertaining to the history of the file.
Provenance, unlike normal metadata stored in file systems, is retrieved
primarily by running queries. This implies that provenance has to be
indexed and should have a query interface. We believe that databases
are the most appropriate place to store provenance as they provide both
indexing and query capabilities.

The goal of this paper is to explore the most appropriate schema and
database technology for storing provenance. In the paper we discuss
the different possible schemas for storing provenance and the tradeoffs
in choosing each of the schemas. We then characterize the behavior of
some of the popular database architectures under provenance recording/
querying workloads. The database architectures that we considered
are: RDBMS, Schemaless Embedded Databases (Berkeley DB),
XML, and LDAP. Finally, we present preliminary performance results
for the database architecture for provenance recording and some common
provenance queries. Our results indicate that schemaless embedded
databases have the best performance under most provenance workloads.
The results also indicate that RDBMS has the best space utilization
under most provenance workloads.

Most security models are designed to protect data. Some also deal with
traditional metadata. Provenance metadata introduces additional complexity,
as does the delicate interactions between provenance metadata and the data
it describes.

We designed a security model for provenance metadata. Our requirements were
derived from potential users. The security model consists of two
non-interfering models. One protects the structure or work-flow --- namely
which ancestors and descendants are accessible to which users. A second model
specifies which node attributes are accessible to which users. Our evaluation
suggests that our security model meets the users' requirements.

A Provenance-Aware Storage System (PASS) is a storage system that
automatically collects and maintains provenance or lineage, the
complete history or ancestry of an item. We discuss the advantages of
treating provenance as meta-data collected and maintained by the
storage system, rather than as manual annotations stored in a
separately administered database. We present a PASS implementation,
discussing the challenges and performance cost, and the new
functionality it enables. We show that with reasonable overhead, we
can provide useful functionality not available in today's file
systems or provenance management systems.

Network fragmentation occurs when the accessibility of a network-based
resource to an observer is a function of how the observer is connected
to the network. In the context of the Internet, network fragmentation
is well-known and occurs in many situations, including an increasing
preponderance of network address translation, firewalls, and virtual
private networks. Recently, however, new threats to Internet
consistency have received media attention. Alternative namespaces have
emerged as the result of formal objections to the process by which
Internet names and addresses are provisioned. In addition, various
governments and service providers around the world have deployed network
technology that (accidentally or intentionally) restricts access to
certain Internet content. Combined with the aforementioned sources of
fragmentation, these new concerns provide ample motivation for a network
that allows users the ability to specify not only the network location
of Internet resources they want to view but also the perspectives from
which they want to view them. Our vision of a Perspective Access
Network is a peer-to-peer overlay network that incorporates routing and
directory services that allow non-hierarchical organization. In this
paper, we present the design, implementation, and evaluation of a
directory service for such networks. We demonstrate its feasibility and
efficacy using measurements from a test deployment using PlanetLab.

Kullback-Leibler divergence is a natural distance measure between two
probabilistic finite-state automata. Computing this distance is
difficult, since it requires a summation over a countably infinite
number of strings. Nederhof and Satta (2004) recently provided a
solution in the course of solving the more general problem of finding
the cross-entropy between a probabilistic context-free grammar and an
unambiguous probabilistic automaton. We propose a novel solution for
two unambiguous probabilistic automata, by showing that
Kullback-Leibler divergence can be defined as a rational
kernel (Cortes et al., 2004) over the expectation
semiring (Eisner 2002). Using this definition, the computation is
performed using the general algorithm for rational kernels, yielding
an elegant and efficient solution.

We propose regression modeling as an effective approach for accurately
predicting performance and power for various applications executing on any
microprocessor configuration in a large microarchitectural design space.
This report addresses fundamental challenges in microarchitectural
simulation costs via statistical modeling.

Specifically, we derive and validate regression models for performance and
power. Such models enable computationally efficient statistical inference,
requiring the simulation of only 1 in 5 million points of a joint
microarchitecture-application design space while achieving error rates as
low as 4.1 percent for performance and 4.3 percent for power. Although both
models achieve similar accuracy, the sources of accuracy are strikingly
different. We present optimizations for a baseline regression model to
obtain (1) per benchmark application-specific models designed to maximize
accuracy in performance prediction and (2) regional power models leveraging
only the most relevant samples from the microarchitectural design space to
maximize accuracy in power prediction. Assessing model sensitivity to
sample and region sizes, we find 4,000 samples from a design space of
approximately 22 billion points, are sufficient for both
application-specific and regional modeling and prediction. Collectively,
our results suggest significant potential in accurate and efficient
statistical inference for microarchitectural design space exploration via
regression models.

In previous work we have proposed a Dependent Hoare Type Theory (HTT)
as a framework for development and reasoning about higher-order
functional programs with effects of state, aliasing and
nontermination. The main feature of HTT is the type of Hoare triples
{P}x:A{Q} specifying computations with precondition P and
postcondition Q, that return a result of type A.

Here we extend HTT with predicative type polymorphism. Type
quantification is possible in both types and assertions, and we can
also quantify over Hoare triples. We show that as a consequence it
becomes possible to reason about disjointness of heaps in the
assertion logic of HTT. We use this expressiveness to interpret the
Hoare triples in the ``small footprint'' manner advocated by
Separation Logic, whereby a precondition tightly describes the heap
fragment required by the computation. We support stateful commands of
allocation, lookup, strong update, deallocation, and pointer
arithmetic.

Although shadow mapping has found widespread adoption among those who seek
realistic and believable lighting,
the algorithm possesses an aliasing issue that is difficult to control.
Recent insights have spurred a flurry of
activity and bred a number of novel heuristic approaches to such control.
Unfortunately, many of the proffered
heuristics, while improving shadow quality for certain scenes, offer
little guarantee outside these specific domains.
In contrast, we present a metric formulation of shadow quality that
consequently permits us to solve for optimal
parameters (under a chosen metric) for mitigating the aliasing issue.

Perspective Access Networks provide an infrastructure from which users
can specify the location from which they wish to view the Internet. The
ability to specify location has become necessary as the Internet has
become increasingly inconsistent. An increasing preponderance of
middleboxes, location-dependent services, and large-scale content
filtering have contributed to this situation.

Our work offers the following contributions. First, we propose an
infrastructure that routes traffic to a location from which a given
resource can be viewed, taking instructions from user-specified
attributes describing the desired location. Second, we analyze the
tradeoff between the expressivity of user requests and the finite
resources available within the network for propagating metadata about
available perspectives. Third, we stipulate a set of real scenarios
that fall within the limits of what can reasonably be handled by a
system appropriately tuned to manage the tradeoff, and we argue that the
specific algorithm we propose can handle the scenarios effectively.

Hoare Type Theory (HTT) combines a dependently typed,
higher-order language with monadically-encapsulated, stateful
computations. The type system incorporates pre- and post-conditions,
in a fashion similar to Hoare and Separation Logic, so that
programmers can modularly specify the requirements and effects of
computations within types.

When combined with the Hoare-like specifications, abstract predicates
provide a powerful way to define and encapsulate the invariants of
private state; that is, state which may be shared by several
functions, but is not accessible to their clients. We demonstrate this
power by sketching a number of abstract data types and functions that
demand ownership of mutable memory, including an idealized custom
memory manager.

This paper investigates the problem of estimating the value of
probabilistic parameters needed for decision making in environments
in which an agent, operating within a multi-agent system, has no
a-priori information about the structure of the distribution of
parameter values. The agent must be able to produce estimations
even when it may have only made a small number of direct
observations, and thus it must be able to operate with sparse data.
The paper describes a mechanism that enables the agent to
significantly improve its estimation with only a small number of
observations by augmenting its direct observations with those
obtained by other agents with which it is coordinating. To avoid
undesirable bias in relatively heterogeneous environments while
effectively using relevant data to improve its estimations, the
mechanism weighs the contributions of other agents' observations
based on a real-time estimation of the level of similarity between
each of these agents and itself. The ``coordination autonomy" (CA)
module of a coordination-manager system provided an empirical
setting for evaluation. Simulation-based evaluations demonstrate
that the proposed mechanism outperforms estimations based
exclusively on an agent's own observations as well as estimations
based on an unweighted aggregate of all other agents' observations.

This paper addresses the problem of identifying the value of
information held by a teammate on a distributed, multi-agent team.
It focuses on a distributed scheduling task in which computer agents
support people who are carrying out complex tasks in a dynamic
environment. The paper presents a decision-theoretic algorithm for
determining the value of information that is potentially relevant to
scheduling revisions, but is directly available only to the person
and not the computer-agent. The design of a ``coordination
autonomy" (CA) module within a coordination-manager system provided
the empirical setting for this work. By design, the CA module
depends on an external scheduler module to determine the specific
effect of additional information on overall system performance. The
paper describes two methods for reducing the number of queries the
CA issues to the scheduler, enabling it to satisfy computational
resource constraints placed on it. Experimental results indicate
the algorithm improves system performance and establish the
exceptional efficiency---measured in terms of the number of queries required
for
estimating the value of information---that can be achieved by the
query-reducing methods.

We present a new operating system scheduling algorithm for multicore
processors. Our algorithm reduces the effects of unequal CPU cache sharing
that occur on these processors and cause unfair CPU sharing, priority
inversion, and inadequate CPU accounting. We describe the implementation of
our algorithm in the Solaris operating system and demonstrate that it
produces fairer schedules enabling better priority enforcement and improved
performance stability for applications. With conventional scheduling
algorithms, application performance on multicore processors varies by up to
36% depending on the runtime characteristics of concurrent processes. We
reduce this variability by up to a factor of seven.

Desynchronization is a novel primitive for sensor networks: it implies
that nodes perfectly interleave periodic events to occur in a
round-robin schedule. This primitive can be used to evenly distribute
sampling burden in a group of nodes, schedule sleep cycles, or
organize a collision-free TDMA schedule for transmitting wireless
messages. Here we present DESYNC, a biologically-inspired
self-maintaining algorithm for desynchronization in a single-hop
network. We present (1) theoretical results proving convergence and
bounding convergence rates, (2) experimental results on TinyOS-based
Telos sensor motes, and (3) a DESYNC-based TDMA protocol. DESYNC-TDMA
addresses two weaknesses of traditional TDMA: it does not require a
global clock and it automatically adjusts to the number of
participating nodes, so that bandwidth is always fully utilized.
Experimental results show a reduction in message loss under high
contention from approximately 58% to less than 1%, as well as a 25%
increase in throughput over the default Telos MAC protocol.

We consider deletion channels and insertion channels under an
additional segmentation assumption: the input consists of disjoint
segments of b consecutive bits, with at most one error per segment.
Under this assumption, we demonstrate simple and computationally
efficient deterministic encoding and decoding schemes that achieve a
high provable rate even under worst-case errors. We also consider
more complex schemes that experimentally achieve higher rates under
random error.

The notion of "sending a secret message to the future" has been around for
over a decade. Despite this, no solution to this problem is in common use,
or even attained widespread acceptance as a fundamental cryptographic
primitive. We name, construct and specify an implementation for this new
cryptographic primitive, "Time-Lapse Cryptography", with which a sender can
encrypt a message so that it is guaranteed to be revealed at an exact moment
in the future, even if this revelation turns out to be undesirable to the
sender. Our solution combines new ideas with Pedersen distributed key
generation, Feldman verifiable threshold secret sharing, and ElGamal
encryption, all of which rest upon the single, broadly accepted Decisional
Diffie-Hellman assumption. We develop a Time-Lapse Cryptography Service
("the Service") based on a network of parties who jointly perform the
service. The protocol is practical and secure: at a given time the Service
publishes a public key so that anyone can use it, even anonymously.
Senders encrypt their messages with this public key whose private key is not
known to anyone -- not even a trusted third party -- until a predefined and
specific future time, at which point the private key is constructed and
published. At or after that time, anyone can decrypt the ciphertext using
this private key. The Service is envisioned as a public utility publishing
a continuous stream of encryption keys and subsequent corresponding time-lapse
decryption keys. We complement our theoretical foundation with descriptions
of specific attacks and defenses, and describe important applications of our
service in sealed bid auctions, insider stock sales, clinical trials, and
electronic voting.